<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Thank Saso..<br>
<br>
Works perfectly now.!! <br>
<br>
Saso Tavcar wrote:
<blockquote cite="mid:ED6898CB-EDFC-4B4B-B318-6C1971005CFB@ais42.net"
type="cite">Hi!
<br>
<br>
I had the same problem also with latest development packages for xl2tpd
and openswan.
<br>
PPP session does not start with L2TP+IPsec+PSK client configuration!?
<br>
<br>
Try with disabled IPsec on Windows XP client.
<br>
<br>
Run this registry settings and reboot your Windows XP client:
<br>
<br>
Windows Registry Editor Version 5.00
<br>
<br>
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters]
<br>
"prohibitipsec"=dword:00000001
<br>
<br>
<br>
Regards,
<br>
saso
<br>
<br>
<br>
On Mar 20, 2009, at 3:50 AM, Janantha Marasinghe wrote:
<br>
<br>
<blockquote type="cite">Hello,
<br>
<br>
Yes all my clients are Windows XP (Sp3) . I do use xl2tpd for the
tunnel. The configuration of xl2tpd is
<br>
<br>
[global]
<br>
[lns default]
<br>
ip range = 10.8.109.100-10.8.109.110
<br>
local ip = 10.8.109.65
<br>
require chap = yes
<br>
refuse pap = yes
<br>
require authentication = yes
<br>
name = LinuxVPNServer
<br>
ppp debug = yes
<br>
pppoptfile = /etc/ppp/options.xl2tpd
<br>
length bit = yes
<br>
<br>
If this doesn't work I'll upgrade the current openswan as well( I see
an update for it for my FC9). Other
<br>
<br>
Catalin Sanda wrote:
<br>
<blockquote type="cite"><br>
Hello,
<br>
<br>
>From what I can gather, you are trying to use a windows 2000+
client to
<br>
connect to your Linux box. Ipsec seems to work, so now you have to
setup the
<br>
l2tp tunel (i personaly use xl2tp).
<br>
<br>
Unfortunately the setup you are trying to achieve didn't work for me
because
<br>
of a bug in openswan (see the response to one of my earlier posts), so
i had
<br>
to switch to strongswan which worked.
<br>
<br>
Hope this helps,
<br>
Catalin
<br>
<br>
<br>
On Thu, Mar 19, 2009 at 12:52 PM, Janantha Marasinghe
<br>
<a class="moz-txt-link-rfc2396E" href="mailto:janantha@techcert.lk"><janantha@techcert.lk></a>wrote:
<br>
<br>
<br>
<blockquote type="cite"> Hi Catalin,
<br>
<br>
Thanks your suggestions. I amended as you stated and now it does go to
<br>
state 2. . But after it gets stuck on the following line written at
<br>
/var/log/secure
<br>
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x38511bd7
<br>
<0xd834470c xfrm=3DES_0-HMAC_MD5 NATOA=172.16.0.9
<br>
NATD=roadwarrior-routerip:4500 DPD=none}
<br>
<br>
My windows clients give the 678 error message. Do I have to change my
ADSL
<br>
router firewall configuration? Rest of the transitions are below
<br>
<br>
Mar 19 16:16:00 mooshika pluto[32010]: packet from
<br>
roadwarrior-routerip:500: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY
<br>
00000004]
<br>
Mar 19 16:16:00 mooshika pluto[32010]: packet from
<br>
roadwarrior-routerip:500: ignoring Vendor ID payload [FRAGMENTATION]
<br>
Mar 19 16:16:00 mooshika pluto[32010]: packet from
<br>
roadwarrior-routerip:500: received Vendor ID payload
<br>
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
<br>
Mar 19 16:16:00 mooshika pluto[32010]: packet from
<br>
roadwarrior-routerip:500: ignoring Vendor ID payload
[Vid-Initial-Contact]
<br>
Mar 19 16:16:00 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: responding to Main Mode from unknown peer roadwarrior-routerip
<br>
</blockquote>
</blockquote>
</blockquote>
<br>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">Mar 19 16:16:00 mooshika pluto[32010]:
"L2TP-PSK"[2] roadwarrior-routerip
<br>
#5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
<br>
Mar 19 16:16:00 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: STATE_MAIN_R1: sent MR1, expecting MI2
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer
is
<br>
NATed
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: STATE_MAIN_R2: sent MR2, expecting MI3
<br>
Mar 19 16:16:01 mooshika pluto[32013]: WARNING: calc_dh_shared(): for
<br>
OAKLEY_GROUP_MODP2048 took 228522 usec
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: Main mode peer ID is ID_FQDN: '@techcert-37a9ea'
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: new NAT mapping for #5, was roadwarrior-routerip:500, now
<br>
roadwarrior-routerip:4500
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: STATE_MAIN_R3: sent MR3, ISAKMP SA established
<br>
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
<br>
group=modp2048}
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: peer client type is FQDN
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: Applying workaround for MS-818043 NAT-T bug
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: IDci was FQDN: \300\370\010k, using NAT_OA=172.16.0.9/32 as IDci
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: the peer proposed: vpn.server.ip/32:17/1701 ->
172.16.0.9/32:17/1701
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
st_skey_ar in
<br>
duplicate_state, please report to <a class="moz-txt-link-abbreviated" href="mailto:dev@openswan.org">dev@openswan.org</a>
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
st_skey_er in
<br>
duplicate_state, please report to <a class="moz-txt-link-abbreviated" href="mailto:dev@openswan.org">dev@openswan.org</a>
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
st_skey_pi in
<br>
duplicate_state, please report to <a class="moz-txt-link-abbreviated" href="mailto:dev@openswan.org">dev@openswan.org</a>
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#5: alloc_bytes1() was mistakenly asked to malloc 0 bytes for
st_skey_pr in
<br>
duplicate_state, please report to <a class="moz-txt-link-abbreviated" href="mailto:dev@openswan.org">dev@openswan.org</a>
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: responding to Quick Mode proposal {msgid:c1ca4ad8}
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: us: vpn.server.ip<vpn.server.ip>[+S=C]:17/1701
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: them: roadwarrior-routerip[@techcert-37a9ea,+S=C]:17/1701===
<br>
172.16.0.9/32
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
<br>
Mar 19 16:16:01 mooshika pluto[32010]: "L2TP-PSK"[2]
roadwarrior-routerip
<br>
#6: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x38511bd7
<br>
<0xd834470c xfrm=3DES_0-HMAC_MD5 NATOA=172.16.0.9
<br>
NATD=roadwarrior-routerip:4500 DPD=none}
<br>
<br>
<br>
<br>
Catalin Sanda wrote:
<br>
<br>
It might help if you have something like:
<br>
<br>
config setup
<br>
#......
<br>
nat_traversal=yes
<br>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
<br>
<br>
conn L2TP-PSK
<br>
#.......
<br>
rightsubnet=vhost:%no,%priv
<br>
<br>
<br>
<br>
On Thu, Mar 19, 2009 at 10:09 AM, Janantha
Marasinghe<a class="moz-txt-link-rfc2396E" href="mailto:janantha@techcert.lk"><janantha@techcert.lk></a>
<a class="moz-txt-link-rfc2396E" href="mailto:janantha@techcert.lk"><janantha@techcert.lk></a>wrote:
<br>
<br>
<br>
<br>
Thanks Andrew,
<br>
<br>
I have included nat_traversal=yes in the ipsec.conf and restarted the
<br>
services but still the same!
<br>
<br>
<br>
<br>
andrew colin wrote:
<br>
<br>
I think you do not have nat traversal enabled that is why.
<br>
<br>
On Thu, Mar 19, 2009 at 5:54 AM, Janantha
Marasinghe<a class="moz-txt-link-rfc2396E" href="mailto:janantha@techcert.lk"><janantha@techcert.lk></a> <a class="moz-txt-link-rfc2396E" href="mailto:janantha@techcert.lk"><janantha@techcert.lk></a>
<a class="moz-txt-link-rfc2396E" href="mailto:janantha@techcert.lk"><janantha@techcert.lk></a> <a class="moz-txt-link-rfc2396E" href="mailto:janantha@techcert.lk"><janantha@techcert.lk></a> wrote:
<br>
<br>
<br>
Dear All,
<br>
<br>
Currently I'm trying to connect to my openswan server. My network
setup
<br>
is given below. When I try to connect using a fully up to date SP3
<br>
Windows XP system .. I see the following error in the vpn server's
<br>
secure log
<br>
<br>
Mar 19 09:06:02 mooshika pluto[18623]: "L2TP-PSK"[4]
<br>
roadwarrior-routerip #2: cannot respond to IPsec SA request because no
<br>
connection is known for
<br>
vpn.server.ip<vpn.server.ip>[+S=C]:17/1701...roadwarrior-routerip[@computername-37a9ea,+S=C]:17/1701===172.16.0.9/32
<br>
<br>
Mar 19 09:06:02 mooshika pluto[18623]: "L2TP-PSK"[4]
<br>
roadwarrior-routerip #2: sending encrypted notification
<br>
INVALID_ID_INFORMATION to roadwarrior-routerip:4500
<br>
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
<br>
roadwarrior-routerip #2: peer client type is FQDN
<br>
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
<br>
roadwarrior-routerip #2: Applying workaround for MS-818043 NAT-T bug
<br>
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
<br>
roadwarrior-routerip #2: IDci was FQDN: \300\370\010k, using
<br>
NAT_OA=172.16.0.9/32 as IDci
<br>
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
<br>
roadwarrior-routerip #2: the peer proposed: vpn.server.ip/32:17/1701
->172.16.0.9/32:17/1701
<br>
Mar 19 09:06:03 mooshika pluto[18623]: "L2TP-PSK"[4]
<br>
roadwarrior-routerip #2: cannot respond to IPsec SA request because no
<br>
connection is known for
<br>
vpn.server.ip<vpn.server.ip>[+S=C]:17/1701...roadwarrior-routerip[@computer-37a9ea,+S=C]:17/1701===172.16.0.9/32
<br>
<br>
<br>
<br>
private network172.16.0.0/255.255.255.240 --> ADSL Router(NAT
enabled)
<br>
---------Internet--------------OpenswanVPN(Public IP Address)
<br>
<br>
My IPsec.conf is
<br>
<br>
# /etc/ipsec.conf - Openswan IPsec configuration file
<br>
#
<br>
# Manual: ipsec.conf.5
<br>
#
<br>
# Please place your own config files in /etc/ipsec.d/ ending in .conf
<br>
<br>
version 2.0 # conforms to second version of ipsec.conf
specification
<br>
<br>
# basic configuration
<br>
config setup
<br>
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
<br>
# klipsdebug=none
<br>
# plutodebug="control parsing"
<br>
# For Red Hat Enterprise Linux and Fedora, leave
protostack=netkey
<br>
protostack=netkey
<br>
<br>
conn L2TP-PSK
<br>
#
<br>
authby=secret
<br>
pfs=no
<br>
rekey=no
<br>
keyingtries=3
<br>
#
<br>
# ----------------------------------------------------------
<br>
# The VPN server.
<br>
#
<br>
# Allow incoming connections on the external network interface.
<br>
# If you want to use a different interface or if there is no
<br>
# defaultroute, you can use: left=your.ip.addr.ess
<br>
#
<br>
left=public.ip.address.of.vpn.server
<br>
#
<br>
leftprotoport=17/1701
<br>
# If you insist on supporting non-updated Windows clients,
<br>
# you can use: leftprotoport=17/%any
<br>
#
<br>
# ----------------------------------------------------------
<br>
# The remote user(s).
<br>
#
<br>
# Allow incoming connections only from this IP address.
<br>
right=%any
<br>
# If you want to allow multiple connections from any IP address,
<br>
# you can use: right=%any
<br>
#
<br>
rightprotoport=17/1701
<br>
#
<br>
# ----------------------------------------------------------
<br>
# Change 'ignore' to 'add' to enable this configuration.
<br>
#
<br>
auto=add
<br>
<br>
include /etc/ipsec.d/no_oe.conf
<br>
<br>
Do I have to put additional information in the ipsec.conf to include
<br>
172.16.0.0./255.255.255.240 ?
<br>
<br>
--
<br>
<br>
_______________________________________________Users@openswan.orghttp://lists.openswan.org/mailman/listinfo/users
<br>
Building and Integrating Virtual Private Networks with
Openswan:<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
<br>
<br>
<br>
--
<br>
<br>
<br>
_______________________________________________Users@openswan.orghttp://lists.openswan.org/mailman/listinfo/users
<br>
Building and Integrating Virtual Private Networks with
Openswan:<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
<br>
<br>
<br>
<br>
--
<br>
<br>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
-- <br>
<br>
_______________________________________________
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
<br>
Building and Integrating Virtual Private Networks with Openswan:
<br>
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
<br>
</blockquote>
<br>
<br>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<img src="cid:part1.08000302.06020001@techcert.lk">
</div>
</body>
</html>